YaBB Community and Support Forum
YaBB Home About YaBB Download YaBB YaBB Support Customize Your Forum Development Contribute to the Project
  Welcome, Guest. Please Login or Register


 
Pages: 1 2 3 
Topic Tools
 
Board hacked - how to solve this Safety-Issue? (Read 5,340 times)
 Reply #15 - Aug 6th, 2012 at 10:48pm
There are no actions to perform.  

JonB 
YaBB Administrator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline
Posts: 3,617
Land of the Blazing Sun!


None
Re: Board hacked - how to solve this Safety-Issue?
@xnoddyx

Quote:
It's my understanding that those will only help if you're actually using mySQL. (It looks like those features simply came from the original Guardian script as a one-size-fits-all thing.)


Dandello is exactly correct - pure 'anti-MySQL-injection' tools.

Here's something else that might be the case - it could be that the bot is trying to validate itself - that would go with the 'can't be found' as the 'written' file's name was truncated by all the escaped characters.

I think we need to ask 'what is the registration method'?

and look at when the .pre file is written and what opens or evaluates it.

Wink
 
I find your lack of faith disturbing.
 
IP Logged  
 Reply #16 - Aug 6th, 2012 at 11:24pm
There are no actions to perform.  

Bill Myers 
God Member
Beta Testers
*****
Offline
Posts: 1,482
Los Angeles


YaBB 2.4
Re: Board hacked - how to solve this Safety-Issue?
Dandello wrote on Aug 6th, 2012 at 10:15pm:
... someone is repeatedly trying to login and/or register with garbage strings ...

... I'm not sure if the lock-up issue is one that was taken care of in 2.4/2.5 ...

If it helps to know, I can confirm that garbage strings that have shown up in our 2.4 errors logs have not locked up anyone's ability to log in to our forum; thankfully.

I didn't know this about MySQL, but it makes sense. Good to know.

« Last Edit: Aug 6th, 2012 at 11:34pm by Bill Myers »  
Morning, noon, or night, have a great one! ...
WWW BillHMyers  
IP Logged  
 Reply #17 - Aug 7th, 2012 at 12:25am
There are no actions to perform.  

xnoddyx 
Support Team
Documentation Team
YaBB Moderators
YaBB Next Team
Beta Testers
****
Offline
Posts: 1,552
UK:Scotland/livingston


YaBB 2.5
Re: Board hacked - how to solve this Safety-Issue?
JonB wrote on Aug 6th, 2012 at 10:48pm:
@xnoddyx

Quote:
It's my understanding that those will only help if you're actually using mySQL. (It looks like those features simply came from the original Guardian script as a one-size-fits-all thing.)


Dandello is exactly correct - pure 'anti-MySQL-injection' tools.

Here's something else that might be the case - it could be that the bot is trying to validate itself - that would go with the 'can't be found' as the 'written' file's name was truncated by all the escaped characters.

I think we need to ask 'what is the registration method'?

and look at when the .pre file is written and what opens or evaluates it.

Wink

its just that i have never had any string urls in any of my forums and thats from 2.3.1 and up and also on test forums where i have put the url up on spam traps and was just thinking it was stoping it in some way
 
YaBB install help video
1. what yabb forum are you running and the url
2. describe in as much detail as you can what happens and also post screenshots if you can
3. please be patient we live in different time zones and have other commitments but we will help you
as bill and ted say (Be excellent to each other)
WWW xnoddyx xnoddyx1  
IP Logged  
 Reply #18 - Aug 7th, 2012 at 3:23am
There are no actions to perform.  

Dandello 
Global Moderator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline
Posts: 1,856
Earth


YaBB 2.5
Re: Board hacked - how to solve this Safety-Issue?
I can go for months without seeing one of the super-strings in my error log, then three will show up in one day.

Of course, of greater concern for the OP is why 2.3.1 seems to have this vulnerability. I wouldn't want to recommend upgrading to 2.4 or 2.5 unless we're quite sure this is something that doesn't hit newer boards, especially as it looks like there's not much difference between the code in LogInOut.pl 2.3.1 and 2.5AE.

Or is the OP's board being hit repeatedly by the same spammer so it just looks like it's locked up. Need to see the error log to check out that one.
 
WWW  
IP Logged  
 Reply #19 - Aug 8th, 2012 at 2:38pm
There are no actions to perform.  

GT-Eins 
YaBB Newbie
*
Offline
Posts: 34
Garbsen, Hannover, Germany


None
Re: Board hacked - how to solve this Safety-Issue?
On 2 occasions now I found the following string in the error-log of the admin-site:
Quote:
out#radbom[a..z]qo
(5.39.218.236)      

Fehler: Ein ungültiges Zeichen ist im Benutzername Feld. Gültige Zeichen sind Buchstaben (A-Z,a-z), Zahlen (0-9), Leerzeichen und ( + - . @ _ )

http://www.gt-eins.at/cgi-bin/GT1-Forum/YaBB.pl?board=&action=login2

Obvoiusly a bot trying to register with not supported Characters.
 
WWW  
IP Logged  
 Reply #20 - Aug 8th, 2012 at 3:24pm
There are no actions to perform.  

Dandello 
Global Moderator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline
Posts: 1,856
Earth


YaBB 2.5
Re: Board hacked - how to solve this Safety-Issue?
Odd that the other errors you're describing aren't showing up in the error log since they should.

Anything that throws an error to the screen should be written into the error log - unless the error log is full. (I have mine set to 500 - that's about the number of errors I see on my sites in 1-2 days depending on traffic. You may want to set yours to a higher limit and keep checking it.)

I'm still betting that a bot is trying to log in with a 'super-string' and either there's something in that string that isn't being properly caught (or was caught and removed) so it's locking up the program or they're doing it repeatedly making it look like it's locked up.

BUT, the good news is your forum probably hasn't been hacked as the error being thrown won't let them in (otherwise it wouldn't be an error.) When you catch the IP addresses of the culprits, add them to your banned IP list to keep them from trying this BS again - until they change IPs.
 
WWW  
IP Logged  
 Reply #21 - Aug 8th, 2012 at 5:09pm
There are no actions to perform.  

GT-Eins 
YaBB Newbie
*
Offline
Posts: 34
Garbsen, Hannover, Germany


None
Re: Board hacked - how to solve this Safety-Issue?
They seem to change IP constantly - getting fed up with these! Angry
 
WWW  
IP Logged  
 Reply #22 - Aug 8th, 2012 at 6:11pm
There are no actions to perform.  

Dandello 
Global Moderator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline
Posts: 1,856
Earth


YaBB 2.5
Re: Board hacked - how to solve this Safety-Issue?
The next question - is it one login attempt causing the board to misbehave or is it multiple attempts?

I'm thinking what we may need is a mod that captures undesirable strings or overlong strings during the login/registration process and blocks them before they even get to the rest of the process. And adding parts of the domain name listed in the string to your Guardian Environment String Blocking probably wouldn't hurt.

The reason I keep talking about login is that the process goes like this:
Someone registers under email verification and/or Admin Approval. Their registration info is written to a .pre file and into membership.inactive. When their account is verified, that .pre file is replaced with a .vars file and the info in membership.inactive gets split into memberinfo.txt and memberlist.txt. BUT bad characters are supposed to go through a replacement process to protect the system.

AND between those two events, if someone tries to login before getting verified, the system looks in the memberinfo.txt  for the  .vars for the member with those credentials, then through the membership.inactive for the name on the .pre file, then the .pre file, before deciding that 'user' doesn't exist.

Now, for whatever reason,  the login process is getting  bogged - maybe during the check of membership.inactive since the .pre file doesn't match.

Just a thought - have you checked the membership.inactive file through either your host file manager or FTP?


Just double checked LogInOut to find the logic path.

And there IS a difference between. 2.3.1 and 2.5 in LogInOut.pl .

So an upgrade to 2.5 will probably stop this.

Int the meantime, open LogInOut.pl in a good text editor and find:
Code Select All
	&fatal_error("invalid_character","$loginout_txt{'35'} $loginout_txt{'241r'}") if ($username =~ /[^\w\+\-\.\@]/);
 



Replace it with:
Code Select All
	&fatal_error("invalid_character","$loginout_txt{'35'} $loginout_txt{'241r'}") if $username =~ /[^ \w\x80-\xFF\[\]\(\)#\%\+,\-\|\.:=\?\@\^]/;
 


This filter has to be passed before the program starts looking for the member files and should (I hope) help you out by blocking super-strings with bad characters in them.
« Last Edit: Aug 8th, 2012 at 8:56pm by Dandello »  
WWW  
IP Logged  
 Reply #23 - Aug 9th, 2012 at 4:20pm
There are no actions to perform.  

GT-Eins 
YaBB Newbie
*
Offline
Posts: 34
Garbsen, Hannover, Germany


None
Re: Board hacked - how to solve this Safety-Issue?
OK
I modified LogInOut.pl in the described way
lets see if that works
 
WWW  
IP Logged  
 Reply #24 - Aug 9th, 2012 at 6:22pm
There are no actions to perform.  

Dandello 
Global Moderator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline
Posts: 1,856
Earth


YaBB 2.5
Re: Board hacked - how to solve this Safety-Issue?
We'll keep our fingers crossed.  Wink
 
WWW  
IP Logged  
 Reply #25 - Aug 9th, 2012 at 7:02pm
There are no actions to perform.  

GT-Eins 
YaBB Newbie
*
Offline
Posts: 34
Garbsen, Hannover, Germany


None
Re: Board hacked - how to solve this Safety-Issue?
OK - At least the error now finally appeared in the error-log - but just for an half hour then no further attempt was recorded.
There appeared also other error-codes like the following 2 :

Quote:
Fehler: Untrapped Error :
./Sources/LogInOut.pl did not return a true value at ./Sources/Subs.pl line 1407.

http://www.gt-eins.at/cgi-bin/GT1-Forum/YaBB.pl?board=0403&action=&num=126112959...


or
Quote:
Fehler: Untrapped Error :
./Sources/LogInOut.pl did not return a true value at YaBB.pl line 162.

http://www.gt-eins.at/cgi-bin/GT1-Forum/YaBB.pl?board=&action=login


But Things are looking good so far (Final confirmation tomorrow...)
 
WWW  
IP Logged  
 Reply #26 - Aug 9th, 2012 at 7:25pm
There are no actions to perform.  

Dandello 
Global Moderator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline
Posts: 1,856
Earth


YaBB 2.5
Re: Board hacked - how to solve this Safety-Issue?
Are these new errors happening when regular members try to log in or when someone tries a 'super-string'?

What the error is telling us is that something stopped LogInOut.pl from going all the way to the end of the script like it's supposed to. But if it's only happening when a spammer is trying a super-string then that might be an error you can live with. I suspect the ultimate solution will be for you to upgrade to 2.5 at some point.
 
WWW  
IP Logged  
 Reply #27 - Aug 10th, 2012 at 12:40am
There are no actions to perform.  

xnoddyx 
Support Team
Documentation Team
YaBB Moderators
YaBB Next Team
Beta Testers
****
Offline
Posts: 1,552
UK:Scotland/livingston


YaBB 2.5
Re: Board hacked - how to solve this Safety-Issue?
Dandello yep looks like a bot attack most of the Error Log is full with Quote:
Error: The validation code is not identical to that shown on-screen graphics. Please go back, reload the page (press F5 in most browsers) and try again.
66 of them and 87 Quote:
Error: username / password is incorrect. Either the username does not exist, or you used the wrong password.
and 2 ALERT!! Form Spoofing Detected coming from IP address: all out of 212 the Registration Log is sitting at 3418 pages as well
 
YaBB install help video
1. what yabb forum are you running and the url
2. describe in as much detail as you can what happens and also post screenshots if you can
3. please be patient we live in different time zones and have other commitments but we will help you
as bill and ted say (Be excellent to each other)
WWW xnoddyx xnoddyx1  
IP Logged  
 Reply #28 - Aug 10th, 2012 at 1:32am
There are no actions to perform.  

Dandello 
Global Moderator
YaBB Next Team
Operations Team
Beta Testers
Support Team
*****
Offline
Posts: 1,856
Earth


YaBB 2.5
Re: Board hacked - how to solve this Safety-Issue?
Well, the registration log can be emptied out and the errors cleared - I'm assuming that regular users aren't being negatively effected?

I'm told that Anti-Spam Question should work on 2.3.1 http://www.boardmod.org/yabb2/YaBB.pl?num=1316894374
or SpamFruits http://www.carsten-dalgaard.dk/cgi-bin/yabb2/YaBB.pl?num=1318072608

Either one of these should stop them in their tracks.
 
WWW  
IP Logged  
 Reply #29 - Aug 10th, 2012 at 12:08pm
There are no actions to perform.  

GT-Eins 
YaBB Newbie
*
Offline
Posts: 34
Garbsen, Hannover, Germany


None
Re: Board hacked - how to solve this Safety-Issue?
Sh§t!!
Its still there
And also the error log is now corrupted as well!
...

I´ll empty the registration-log at once

an update on 2.5 is on our schedule (but just near winter  Embarrassed )
 
WWW  
IP Logged  
Pages: 1 2 3 
Topic Tools
 

Get Yet another Bulletin Board at SourceForge.net. Fast, secure and Free Open Source software downloads Support This Project BoardMod - YaBB features and templates YaBB Codex - support on installation and usage YaBB Toolbar for your browser

YaBB Facebook Group Page

Vulnerability Scanner

Valid RSS Valid XHTML Valid CSS Powered by Perl
YaBB Chat and Support Community » Powered by YaBB 3.0 Beta!
YaBB Forum Software © 2000-2011. All Rights Reserved.